Destructive Shamoon variant suspected to be behind Saipem cyber attack

• In 2012, the notorious Shamoon malware was used against the Saudi Arabian and other oil companies.
• An updated version of the malware emerged in 2016, affecting various organizations in the Persian Gulf, including Saudi Arabia’s General Authority of Civil Aviation.

Two new samples of the Shamoon data-wiping malware have been spotted in the wild recently. The destructive malware, which was first discovered in 2012 during a cyber attack against Saudi Aramco oil provider, is blamed for the attack on Saipem that occurred on December 11, 2018.

Adam Meyers, vice president of cybersecurity firm CrowdStrike, said that the behavior of the new Shamoon variant matched with that of the malware used in the 2012 attack campaign, Reuters reported.

In 2012, the notorious Shamoon malware was used against the Saudi Arabian and other oil companies. The malware wiped out data on over 30,000 systems.

An updated version of the malware emerged in 2016, affecting various organizations in the Persian Gulf, including Saudi Arabia’s General Authority of Civil Aviation (GACA). The second version of the malware, dubbed Shamoon 2, was observed in 2017 targeting virtualization products.

Capabilities of Shamoon

Shamoon primarily focuses on erasing data from infected systems. It also attempt s to destroy the hard disk and make systems unusable. The malware uses Windows Server Message Block (SMB) to spread rapidly into affected networks. It typically uses a set of hard-coded domain credentials to steal credentials from targeted organizations. Shamoon disables computers by overwriting the master boot record.

After the 2012 attack, the malware was dormant until it resurfaced in late 2016. It was responsible for a series of attacks in the Middle East that continued through early 2017.

Security researchers at Chronicle, Google’s new sister company, noted that the malicious files related to Shamoon’s new variant were uploaded to VirusTotal during the same time that the attack occurred on the Italian oil-service firm Saipem. However, the researchers say that there is no proof that the new variant is linked to the specific attack, SecurityWeek reported.

Phil Neray, vice president of Industrial Cybersecurity at CyberX agrees with Chronicle researchers’ assessment.

“It's still too early to tell, but given Saipem's position as a trusted 3rd-party supplier to Saudi Aramco, an educated guess would be that the adversary is the same one that attacked Saudi Aramco in the past - which points to the destructive Shamoon attacks of 2012 and 2016, now widely-attributed to Iran,” said Neray.